mcoops / deplist Goto Github PK

Usually Java project dependencies are managed with Maven. In that case a pom.xml will be found at the root of the project. Running mvn --no-transfer-progress dependency:tree will print the direct and transitive Java dependencies.

The maven package needs to installed to provide the command mvn.

Here is some sample output:

--- maven-dependency-plugin:2.8:tree (default-cli) @ hive-shims-common ---
[INFO] org.apache.hive.shims:hive-shims-common:jar:2.3.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.6.2:compile
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.6.2:compile
[INFO] +- com.google.guava:guava:jar:14.0.1:compile
[INFO] +- org.apache.hadoop:hadoop-client:jar:2.7.2:compile
[INFO] |  +- org.apache.hadoop:hadoop-common:jar:2.7.2:compile
[INFO] |  |  +- commons-cli:commons-cli:jar:1.2:compile
[INFO] |  |  +- org.apache.commons:commons-math3:jar:3.1.1:compile
[INFO] |  |  +- xmlenc:xmlenc:jar:0.52:compile
[INFO] |  |  +- commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO] |  |  |  \- junit:junit:jar:4.11:compile
[INFO] |  |  |     \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] |  |  +- commons-codec:commons-codec:jar:1.4:compile
[INFO] |  |  +- commons-io:commons-io:jar:2.4:compile
[INFO] |  |  +- commons-net:commons-net:jar:3.1:compile
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2.2:compile

In Go 1.14 the default for go list was changed to detect the presence of a vendor directory automatically and use it for resolving dependencies. This library fails to do that for such a module.

We could detect the presence of go.mod and vendor/ and set GOFLAGS=-mod=vendor when both a present forcing go list to use the dependencies in the vendor/ directory to solve modules in go.mod. Eg cfg.Env = append(os.Environ(), "GOFLAGS=-mod=vendor") from go/packages#Config

If there's no yarn.lock file, instead run npm list to use the package.json/lock instead.

Hi,

I am using go version go1.15.15 linux/amd64 which is the latest version on Fedora 33 base repository.

When I try to make or otherwise use deplist, I get this error:

internal/scan/ruby.go:19:18: undefined: os.MkdirTemp
make: *** [Makefile:4: build] Error 2

I was able to work around this by going to

I discovered this after locating: golang/go#42026 . Seems Go 1.16 is required. Just wanted to mention it.

When multiple jar files are encountered and they all report the same dep, at the moment deplist will report duplicates. Does de-dup at the single jar file layer, but needs to be also be moved up higher so the main loop can track only unique entries.

This will allow deduplicating for all langs.

Using cargo tree or some variant also support rust vendoring:

https://doc.rust-lang.org/cargo/commands/cargo-tree.html

We can't assume that the requirements.txt file is at the top level. With the filtering put in place to ignore docs, tests it should be ok to now look for it anywhere.

If there is no yarn.lock or package-lock.json, then process the node_modules directory manually.

Along the lines of:

for modules in node_modules./* {
     output = append(output, {modules[name] modules[version]})
}

This should also account for any transient dependencies too by processing everything in the main node_modules directory.

Not sure yet the best way to approach this, but prob the safest will be to just apply this logic recursively i think, that should be ok and give the best results.

Environment markers in Python requirements files can result in the version being incorrect gathered from the marker. Eg:

unittest2==0.5.1; python_version == '2.6'

Results in dependency being identified as:

{Name:unittest2==0.5.1; python_version Version: '2.6' NVR:unittest2==0.5.1; python_version @ '2.6' Ecosystem:pypi}

Adding .ear, .adm Java archive file format to be supported.